Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1769287
Summary: | Divide-by-zero crash in libmp4v2 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | ryan <ryan> |
Component: | libmp4v2 | Assignee: | David King <amigadave> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 31 | CC: | amigadave, dominik, matthias, moez.roy, sergio |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | libmp4v2-2.1.0-0.19.trunkREV507.fc31 libmp4v2-2.1.0-0.19.trunkREV507.fc30 libmp4v2-2.1.0-0.19.trunkREV507.fc29 libmp4v2-2.1.0-0.19.trunkREV507.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-11-08 08:52:06 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
ryan@testtoast.com
2019-11-06 10:33:29 UTC
thanks for the report , can you use gdb ? I don't know what lldb ? I need to know the name of the function, MP4Read ? Sorry, my mistake, forgot the -debuginfo package. Try now: (lldb) bt * thread #1, name = 'cmus', stop reason = signal SIGFPE: integer divide by zero * frame #0: 0x00007f39aa4c48fc libmp4v2.so.2`mp4v2::impl::MP4Integer32Property::SetCount(unsigned int) + 44 frame #1: 0x00007f39aa4bfdef libmp4v2.so.2`mp4v2::impl::MP4TableProperty::AddProperty(mp4v2::impl::MP4Property*) + 143 frame #2: 0x00007f39aa48e832 libmp4v2.so.2`mp4v2::impl::MP4StandardAtom::MP4StandardAtom(mp4v2::impl::MP4File&, char const*) + 7602 frame #3: 0x00007f39aa4a45db libmp4v2.so.2`mp4v2::impl::MP4Atom::factory(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*, char const*) + 235 frame #4: 0x00007f39aa4a5c93 libmp4v2.so.2`mp4v2::impl::MP4Atom::CreateAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*, char const*) + 35 frame #5: 0x00007f39aa4a63e6 libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) + 326 frame #6: 0x00007f39aa4a684f libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadChildAtoms() + 239 frame #7: 0x00007f39aa4a7a88 libmp4v2.so.2`mp4v2::impl::MP4Atom::Read() + 88 frame #8: 0x00007f39aa4a647e libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) + 478 frame #9: 0x00007f39aa4a684f libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadChildAtoms() + 239 frame #10: 0x00007f39aa4a7a88 libmp4v2.so.2`mp4v2::impl::MP4Atom::Read() + 88 frame #11: 0x00007f39aa4a647e libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) + 478 frame #12: 0x00007f39aa4a684f libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadChildAtoms() + 239 frame #13: 0x00007f39aa4a7a88 libmp4v2.so.2`mp4v2::impl::MP4Atom::Read() + 88 frame #14: 0x00007f39aa4a647e libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) + 478 frame #15: 0x00007f39aa4a684f libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadChildAtoms() + 239 frame #16: 0x00007f39aa4a7a88 libmp4v2.so.2`mp4v2::impl::MP4Atom::Read() + 88 frame #17: 0x00007f39aa4a647e libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) + 478 frame #18: 0x00007f39aa4a684f libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadChildAtoms() + 239 frame #19: 0x00007f39aa4a7a88 libmp4v2.so.2`mp4v2::impl::MP4Atom::Read() + 88 frame #20: 0x00007f39aa4a647e libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) + 478 frame #21: 0x00007f39aa4a684f libmp4v2.so.2`mp4v2::impl::MP4Atom::ReadChildAtoms() + 239 frame #22: 0x00007f39aa4a7a88 libmp4v2.so.2`mp4v2::impl::MP4Atom::Read() + 88 frame #23: 0x00007f39aa4b3708 libmp4v2.so.2`mp4v2::impl::MP4File::ReadFromFile() + 104 frame #24: 0x00007f39aa4b6a2d libmp4v2.so.2`mp4v2::impl::MP4File::Read(char const*, MP4FileProvider_s const*) + 29 frame #25: 0x00007f39aa49febe libmp4v2.so.2`MP4Read + 46 frame #26: 0x00007f39aae63a4b mp4.so`mp4_open(ip_data=0x00000000021bf2b8) at mp4.c:177:21 frame #27: 0x0000000000421af4 cmus`ip_open at input.c:463:8 frame #28: 0x0000000000421a0a cmus`ip_open at input.c:481 frame #29: 0x0000000000421a00 cmus`ip_open(ip=0x00000000021bf2b0) at input.c:599 frame #30: 0x000000000042b45c cmus`_producer_play at player.c:660:8 frame #31: 0x000000000042c9da cmus`player_set_file(ti=0x000000000178fb30) at player.c:1164:3 frame #32: 0x000000000043c6b9 cmus`mpris_next(m=0x00000000021cef10, _userdata=<unavailable>, _ret_error=<unavailable>) at mpris.c:118:2 frame #33: 0x00007f39aac27d1b libsystemd.so.0`___lldb_unnamed_symbol760$$libsystemd.so.0 + 971 frame #34: 0x00007f39aac1068a libsystemd.so.0`___lldb_unnamed_symbol657$$libsystemd.so.0 + 4410 frame #35: 0x000000000043cd56 cmus`mpris_process at mpris.c:522:10 frame #36: 0x000000000040d6b5 cmus`main at ui_curses.c:2275:4 frame #37: 0x00007f39aaa131a3 libc.so.6`__libc_start_main + 243 frame #38: 0x000000000040daee cmus`_start + 46 And with gdb: (gdb) bt #0 mp4v2::impl::MP4Integer32Array::Resize (newSize=0, this=0x226cfd0) at src/mp4array.h:131 #1 mp4v2::impl::MP4Integer32Property::SetCount (this=0x226cfb0, count=0) at src/mp4property.h:205 #2 0x00007fc5bb9afdef in mp4v2::impl::MP4TableProperty::AddProperty (this=this@entry=0x226cf70, pProperty=pProperty@entry=0x226cfb0) at src/mp4property.cpp:694 #3 0x00007fc5bb97e832 in mp4v2::impl::MP4StandardAtom::MP4StandardAtom (this=0x226c670, file=..., type=<optimized out>) at src/mp4property.h:57 #4 0x00007fc5bb9945db in mp4v2::impl::MP4Atom::factory (file=..., parent=<optimized out>, type=0x7ffc56cb89ab "stts") at src/mp4atom.cpp:1020 #5 0x00007fc5bb995c93 in mp4v2::impl::MP4Atom::CreateAtom (file=..., parent=<optimized out>, type=<optimized out>) at src/mp4atom.cpp:78 #6 0x00007fc5bb9963e6 in mp4v2::impl::MP4Atom::ReadAtom (file=..., pParentAtom=0x22a50c0) at src/mp4atom.cpp:174 #7 0x00007fc5bb99684f in mp4v2::impl::MP4Atom::ReadChildAtoms (this=0x22a50c0) at src/mp4atom.cpp:435 #8 0x00007fc5bb997a88 in mp4v2::impl::MP4Atom::Read (this=0x22a50c0) at src/mp4atom.cpp:241 #9 0x00007fc5bb99647e in mp4v2::impl::MP4Atom::ReadAtom (file=..., pParentAtom=0x22a0e00) at src/mp4atom.cpp:201 #10 0x00007fc5bb99684f in mp4v2::impl::MP4Atom::ReadChildAtoms (this=0x22a0e00) at src/mp4atom.cpp:435 #11 0x00007fc5bb997a88 in mp4v2::impl::MP4Atom::Read (this=0x22a0e00) at src/mp4atom.cpp:241 #12 0x00007fc5bb99647e in mp4v2::impl::MP4Atom::ReadAtom (file=..., pParentAtom=0x229fa50) at src/mp4atom.cpp:201 #13 0x00007fc5bb99684f in mp4v2::impl::MP4Atom::ReadChildAtoms (this=0x229fa50) at src/mp4atom.cpp:435 #14 0x00007fc5bb997a88 in mp4v2::impl::MP4Atom::Read (this=0x229fa50) at src/mp4atom.cpp:241 #15 0x00007fc5bb99647e in mp4v2::impl::MP4Atom::ReadAtom (file=..., pParentAtom=0x2395120) at src/mp4atom.cpp:201 #16 0x00007fc5bb99684f in mp4v2::impl::MP4Atom::ReadChildAtoms (this=0x2395120) at src/mp4atom.cpp:435 #17 0x00007fc5bb997a88 in mp4v2::impl::MP4Atom::Read (this=0x2395120) at src/mp4atom.cpp:241 #18 0x00007fc5bb99647e in mp4v2::impl::MP4Atom::ReadAtom (file=..., pParentAtom=0x2394760) at src/mp4atom.cpp:201 #19 0x00007fc5bb99684f in mp4v2::impl::MP4Atom::ReadChildAtoms (this=0x2394760) at src/mp4atom.cpp:435 #20 0x00007fc5bb997a88 in mp4v2::impl::MP4Atom::Read (this=0x2394760) at src/mp4atom.cpp:241 #21 0x00007fc5bb99647e in mp4v2::impl::MP4Atom::ReadAtom (file=..., pParentAtom=0x22aeea0) at src/mp4atom.cpp:201 #22 0x00007fc5bb99684f in mp4v2::impl::MP4Atom::ReadChildAtoms (this=0x22aeea0) at src/mp4atom.cpp:435 #23 0x00007fc5bb997a88 in mp4v2::impl::MP4Atom::Read (this=0x22aeea0) at src/mp4atom.cpp:241 #24 0x00007fc5bb9a3708 in mp4v2::impl::MP4File::ReadFromFile (this=0x22a13c0) at src/mp4file.cpp:430 #25 0x00007fc5bb9a6a2d in mp4v2::impl::MP4File::Read (this=0x22a13c0, name=<optimized out>, provider=<optimized out>) at src/mp4file.cpp:96 #26 0x00007fc5bb98febe in MP4Read () at src/mp4.cpp:102 #27 0x00007fc5bc353a4b in mp4_open (ip_data=0x23ad6f8) at ip/mp4.c:177 #28 0x0000000000421af4 in open_file_locked (ip=0x23ad6f0) at input.c:463 #29 open_file (ip=0x23ad6f0) at input.c:481 #30 ip_open (ip=0x23ad6f0) at input.c:599 #31 0x000000000042b45c in _producer_play () at player.c:660 #32 0x000000000042c8cd in player_pause () at player.c:1127 #33 player_pause () at player.c:1117 #34 0x000000000043c659 in mpris_toggle_pause (m=0x22a0620, _userdata=<optimized out>, _ret_error=<optimized out>) at mpris.c:139 #35 0x00007fc5bc117d1b in object_find_and_run.lto_priv () from /lib64/libsystemd.so.0 #36 0x00007fc5bc10068a in bus_process_internal () from /lib64/libsystemd.so.0 #37 0x000000000043cd56 in mpris_process () at mpris.c:523 #38 0x000000000040d6b5 in main_loop () at ui_curses.c:2275 #39 main (argc=<optimized out>, argv=<optimized out>) at ui_curses.c:2556tlibmp Looks like SetCount(0) is then passed to Resize(), with a division by newSize without a check for zero here: https://github.com/sergiomb2/libmp4v2/blob/84edb32a783383b70b6ef9364bbc710fa0c92e32/src/mp4array.h#L106 (In reply to ryan from comment #2) > #0 mp4v2::impl::MP4Integer32Array::Resize (newSize=0, this=0x226cfd0) at src/mp4array.h:131 > #1 mp4v2::impl::MP4Integer32Property::SetCount (this=0x226cfb0, count=0) at src/mp4property.h:205 > Looks like SetCount(0) is then passed to Resize(), with a division by > newSize without a check for zero here: > > https://github.com/sergiomb2/libmp4v2/blob/ > 84edb32a783383b70b6ef9364bbc710fa0c92e32/src/mp4array.h#L106 yeah thanks I choose this patch [1] in favor of another, I will fix it [1] https://github.com/sergiomb2/libmp4v2/commit/f5f814801ecd312a1418e2226dadfea72badec49 FEDORA-2019-d53d4a79ac has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d53d4a79ac FEDORA-2019-1030f4816a has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-1030f4816a FEDORA-2019-6469ad8129 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6469ad8129 FEDORA-EPEL-2019-25eb663796 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-25eb663796 Fixed in F31 by https://bodhi.fedoraproject.org/updates/FEDORA-2019-d53d4a79ac, thanks! libmp4v2-2.1.0-0.19.trunkREV507.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d53d4a79ac libmp4v2-2.1.0-0.19.trunkREV507.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-1030f4816a libmp4v2-2.1.0-0.19.trunkREV507.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-25eb663796 libmp4v2-2.1.0-0.19.trunkREV507.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6469ad8129 libmp4v2-2.1.0-0.19.trunkREV507.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. libmp4v2-2.1.0-0.19.trunkREV507.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. libmp4v2-2.1.0-0.19.trunkREV507.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. libmp4v2-2.1.0-0.19.trunkREV507.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. |